A cool feature with Tesla (TSLA) vehicles is its ability to use your smartphone as a key to unlock, lock and even start the vehicle.
Though it might seem convenient to use such a feature, a pair of cybersecurity researchers took to YouTube to share a very concerning flaw they found that could possibly result in precious cars being stolen.
Related: Rivian's trio of sleek, compact EVs is its new edge against Tesla
Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. uncovered a way for auto thieves to potentially steal Teslas in a matter of minutes without breaking any glass, hotwiring anything and without the owner even knowing their car was stolen.
Mysk and Bakry found that a simple phishing attack — a social engineering attack that fools users into handing over sensitive information — was all it needed to commandeer a car.
The Mysk team demonstrated their method in a video on YouTube.
For their example, the researchers used a digital multitool called a Flipper Zero to set up a captive Wi-Fi network called "Tesla Guest," the same name that Tesla uses at its service centers. They also setup a fake webpage that looks just like the login page for Tesla.
With these tools, a theoretical attack would play out just like this:
A potential thief would stake out a place where Tesla drivers tend to frequent, such as a Tesla Supercharger. The end goal is to steal the critical credentials of a Tesla account.
In the scenario they demonstrated, a driver of a Tesla Model 3 pulls up to a Supercharger. They plug in, but will have to wait a while until their car gets charged up and during that time, will eventually get bored.
Seeing that "Tesla" has free wifi, the driver connects to it on their phone and is instantly greeted with a login page that looks just like the one on the app. Thing is — once the driver inputs their username and password, this is where the real trouble begins to brew.
On the other side of that fake website is the thief, or 'hacker' in this scenario — they just stole the Model 3 driver's login information and will attempt to log into the Tesla app on their phone using the stolen info. Immediately, the Model 3 driver will get a two factor authentication code as a notification on their app, which they will input onto the fake website and allow the hacker to have full access to their account.
Once the thief, or 'hacker' is logged in, they have the ability to clone a "phone key", which lets them unlock, lock and control the car to their desire. In the demo, they were able to start the car using this method.
More Business of EVs:
- A full list of EVs and hybrids that qualify for federal tax credits
- Here’s why EV experts are flaming Joe Biden’s car policy
- The EV industry is facing an unusual new problem
Tesla's app allows owners to track where their cars and operate certain functions remotely. This also means that potential thieves who have stolen login information can stalk their victims and steal vehicles at their best convenience.
Tesla provides two physical key cards with the purchase of a car, which are used to activate phone keys and physical key fobs that can be bought from Tesla. In the video, Mysk points out that the key card is needed to remove a key's access to the car and that the owner receives a notification once a key is removed. Additionally, Mysk mentioned that a key card is needed to pair a phone key to a car when someone is physically too far from the car.
Mysk told Tesla about the vulnerabilities, he was told in reply that "they investigated the manner and determined that [the demonstrated phone key activation] is the intended behavior."
Mysk recommended at the end of the video that Tesla should make key card activation mandatory when adding another phone key and that Tesla should notify owners when new keys are created.
Related: Veteran fund manager picks favorite stocks for 2024
